Announcement

Collapse
No announcement yet.

Only able to receive mail by allowing open relay (by MX record)

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Only able to receive mail by allowing open relay (by MX record)

    I have a new client who has made some ill-informed changes to his Exchange System Manager in SBS2003. So his setup is not as default, but I do not know (amongst the many possible settings that there are) which he has changed. He may have done no harm at all, but I can't usefully read any setup steps to help me because this is not a new setup-from-scratch type situation.

    Last month, he used to download his email from a POP box at his ISP. He has now changed that by asking his ISP to add an MX record, which has been done and it points correctly to his public IP address and his router port forwards 25 to his SBS computer. So far so good.

    Now, when I send him mail, I get a return email saying this:
    The following recipient(s) could not be reached:
    [email protected] on 19/11/2007 11:02
    mail.hisdomain.co.uk: Failed (550 5.7.1 Unable to relay for [email protected])
    I could only correct this by going to ESM > Administrative Groups > First Administrative Group > Servers > Server1 > Protocols > SMTP > Default SMTP Virtual Server then right click, properties, and on the Access tab, click the Relay button and change it to "All except the list below" (which is a blank list). It used to say "Only the list below" (which I think is the default setting?) and there was the server's local IP address as well as 127.0.0.1.

    After doing that, I can send him mail and it arrives instantly as expected.

    However, I believe that doing this has left his server as an open relay machine, so how can I allow email to be sent to port 25 of his SBS computer (i.e. not by POP3 download) and configure it to prohibit open relay? On most SBS boxes that I help with, I simply instruct the ISP to setup an MX record and it all works without the SBS box being an open relay and without me having to change any settings at all. In the due course of time, I eventually intend to remove the POP3 download config.

    I have followed http://support.microsoft.com/kb/895853 bu their advice is to change the setting I refer to above to "only the list below" which then prohibits receiving mail directly, and so he has to download it from the POP box, which negates the advantage of having an MX record.

    To clarify - his MX 5 record points to his public IP address for his router, and his MX 20 record points to his old POP box which still exists, so when mail fails to go straight to his public IP address, it is sent instead to his ISP's POP box. That is how we can tell where it is going.
    Best wishes,
    PaulH.
    MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

  • #2
    Re: Only able to receive mail by allowing open relay (by MX record)

    Rule number one with SBS. Do not change anything manually. What you should have done is run the Connect to the Internet and Email wizard. That would have set everything as it should be from a security point of view.

    It does sound like the server is now a relay. It should be non except the list below. You should ensure that the Connection restrictions are not set. However the wizard should sort everything out for you.

    Simon.
    --
    Simon Butler
    Exchange MVP

    Blog: http://blog.sembee.co.uk/
    More Exchange Content: http://exchange.sembee.info/
    Exchange Resources List: http://exbpa.com/
    In the UK? Hire me: http://www.sembee.co.uk/

    Sembee is a registered trademark, used here with permission.

    Comment


    • #3
      Re: Only able to receive mail by allowing open relay (by MX record)

      Good advice, Simon, many thanks. I will see how I get on and post back with my results.
      Best wishes,
      PaulH.
      MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

      Comment


      • #4
        Re: Only able to receive mail by allowing open relay (by MX record)

        I ran CEICW which finished ok and so then I sent a test email to them. My mail server's debug log (it happens to be a Kerio mailserver) says
        Client does not have permission to submit mail to this server.
        Following that, my mail server looks up the next highest MX record, which is the domain hosting company who have their pop boxes still intact, and my mail server sends the email to that, instead. Whenever anyone sends mail to them, it ends up in the POP box at the hosting company for the same reason - Exchange refuses them in.

        So, I am trying to figure out how to configure it to accept email from senders who start a conversation via MX record to their port 25, and yet not open this up as a relay for all spammers to use.
        Best wishes,
        PaulH.
        MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

        Comment


        • #5
          Re: Only able to receive mail by allowing open relay (by MX record)

          That error usually means someone has turned off anonymous authentication on the SMTP virtual server. Check that hasn't happened as it must be on for the email to be delivered.

          If the wizard is used, and you set the external domain in the wizard correctly, then Exchange is relay secure out of the box.

          Simon.
          --
          Simon Butler
          Exchange MVP

          Blog: http://blog.sembee.co.uk/
          More Exchange Content: http://exchange.sembee.info/
          Exchange Resources List: http://exbpa.com/
          In the UK? Hire me: http://www.sembee.co.uk/

          Sembee is a registered trademark, used here with permission.

          Comment


          • #6
            Re: Only able to receive mail by allowing open relay (by MX record)

            The setting in default SMTP Server > Access tab > Authentication button > Anonymous Access is UNCHECKED, as you suspected. After running CEICW no settings were altered manually.

            The last time I ticked this box, i.e. before running the CEICW and before starting this thread, it made the Exchange server an open relay, because I used an open relay test website to see if their public IP was an open relay and the website came back and said that it was.

            So, I am worried that perhaps ticking this box to allow Anonymous Access may turn it into an open relay again, (by manually ticking the box and disobeying the golden rule!) but nevertheless I decided to go ahead and allow anonymous so that I could then immediately check if it is an open relay and... the website says it is an open relay. The site I am using is http://www.abuse.net/relay.html

            So I seem to be stuck between having an open relay and not being able to use an MX record.

            I'm so puzzled, because I have achieved MX record email for countless clients who were on POP3 download and usually it just works!
            Best wishes,
            PaulH.
            MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

            Comment


            • #7
              Re: Only able to receive mail by allowing open relay (by MX record)

              Solved! Very many thanks, Simon and yinyang's too.

              Situation is this: I ticked the box allowing anonymous access, as you said. Then I worried about open relay, I went to that site which said it may be an open relay and I got scared about that. However, here's the rub: I then performed 2 manual tests for open relay which I have more faith in:

              Code:
              TELNET mail.hisdomain.com 25 
              HELO mail.hisdomain.com
              MAIL FROM:[email protected] 
              RCPT TO:[email protected]
              What I wanted to see was a 550 error, which I did get, saying relay prohibited.

              My second test was to setup an email account in any old email client software, with his public IP address set as the mail servers. I tried to use that account to send mail and it came back with an error saying relay prohibited.

              So I am now confident that it is not an open relay.

              Many thanks to you Simon.
              Best wishes,
              PaulH.
              MCP:Server 2003; MCITP:Server 2008; MCTS: SBS2008

              Comment

              Working...
              X